I'm still pretty new to web development, and have a question about security.

Every day I look at the "Latest Visitors" in my CPanel, and today there were some strange entries (one is pasted below).

Not knowing any better, it looks to me like there is some site that's referring users to my site, for some reason. Can someone explain what these really are, and if it's something to be concerned about? Thanks!

6 Answers
6

Someone is using Perl scripts with the LWP module to act like a web browser and request strange URLs from your server to make it do something dangerous. This can be an automated attack or someone is doing it manually.

The second entry is trying to make your server include ../../../../../../../../../../../../../../../proc/self/environ in the website which means go to the parent directory a lot of times (so probably end in the root directory) and show /proc/self/environ which in Linux shows the environment variables of your process which can give some useful information to the attacker. UPDATE: It is not only getting information but also probing for local file inclusion vulnerability where you can run arbitrary code by putting PHP code in User-Agent HTTP Header and then including /proc/self/environ in the page. (Thanks to aaz for pointing it out.)

The first entry is even more interesting because it is apparently trying to make your server download attacker's code and make your server run it. This is what I just got when I downloaded http://teen-37.net/myid.jpg - it's not a JPEG image but a PHP script:

And now when you decode "bXlpZHNjYW5AZ21haWwuY29t" you get the email address.

We now know what someone was trying to make your server do - send email with some info about your server.

You now have the IP of your attacking server which may or may not know that it is attacking - 77.68.38.175 seems to be server77-68-38-175.live-servers.net - and the email of the attacker which must be used to collect data once in a while, and also the domain hosting malicious code.

Search whois databases for the teen-37.net (which is hosting malicious code), the 77.68.38.175 IP address (which is attacking your server) and the 123.30.181.39 IP address (IP of teen-37.net) for contact info to people responsible for reporting abuse.

Also googling for teen-37.net and for some random parts of the malicious script might give you more interesting info.

Now, from the 404 response code we may assume that those two particular attacks didn't work but you can't be sure, because theoretically when the attacker is controlling your server he can respond to himself with 404 after doing what he wanted to do.

I've been in touch with my host and they checked my server e-mail records - and no e-mail was sent to that address. Whew! Maybe I'm doing something right, or it's just luck - either way, this is fascinating stuff, and thanks for everyone's help.
–
Reg HFeb 17 '11 at 23:48

In the first example someone is trying to include his own content in your site. Which could be done if your $_GET['p'] did a naive include() or file_get_contents() call. Same goes for the second example, although that one is to retrieve information about the systems environment.

I'd wager that the teen-37.net link is not the OP's, but a fixed path on the net owned by spammers and criminals, which leads to an image with a buffer overflow intended to break the OP's webserver.
–
Tomalak Geret'kalFeb 17 '11 at 15:45

Yes that much is obvious, I never said or implied it was the OP's domain. The possible attacker is trying to include his own content in the victim's website, whatever that content may be.
–
HtbaaFeb 17 '11 at 15:49

Yea. I'm not really sure why I wrote that now. I'm sure I had a good reason at the time!
–
Lightness Races in OrbitApr 2 '11 at 21:48

Nope. The "referer" field in both of your sample log entries is empty. In this case, either the user went straight to the site, or their browser simply did not provide the referer header that yields this information.

In this case the browser or "user-agent" involved is a libwww-perl, so it seems that some tool written in perl is making the requests.

From the second URL it looks like an attempt at a hack on your web server. This is very common on the internet, and as long as your webserver is up-to-date you should not have any problems.

Looks like it's "someone" (probably just a script) probing for vulnerabilities. The first one looks like it's testing to see if it can get your site to perform arbitrary redirects or display arbitrary data and the second is trying to get your site to display arbitrary files on the file system.

This is attempting to probe your system processes. Whatever you do, make sure you sanitize your variables. Check for queries like this, because if this is injected into the wrong script, you'll have a lot of fixing to do.

Thanks for the info. But here's another stupid question - I've logged in and am using my site, and can't see anything strange, but is it immediately obvious if it's been compromised or they were successful?
–
Reg HFeb 17 '11 at 16:01

@Reg well, no attacker would discover himself, but contrary, they will try to hide their presence and silently use your site as a spam gateway or a botnet member or whatever. But it is also possible that they failed their attempt. double check your files. Once I've discovered a nest of vipers in the Wordpress downloads directory.
–
Col. ShrapnelFeb 17 '11 at 16:06

@Col. Shrapnel - It'll show how much I know, but do you mean to actually look at the files on my site for stuff that I didn't put there? I guess I'm just trying to figure out what to look for. I'll research this further when I know that the hacker was unsuccessful, but I am just trying to figure out that my site is still healthy. Thanks for your help!
–
Reg HFeb 17 '11 at 16:14